RE: Cisco ISE & FreeRADIUS

2017-08-08 Thread Case, Brandon J 
Hi Sean,

Our ISE deployment proxies most of our wireless authentications to a load 
balanced FreeRADIUS setup. It's had its bumps but it's been working well for 
several semesters now. Where are you running into trouble?

Thanks,
--
Brandon Case
Senior Network Engineer
IT Infrastructure Services
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gray, Sean
Sent: Thursday, August 3, 2017 5:19 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco ISE & FreeRADIUS

Hi Everyone,

This may have been discussed sometime in the past, so apologies if I'm asking a 
question that's already been answered.

Has anyone been able to successfully get Cisco ISE to work with an external 
freeRADIUS server? I think the problem we are running into is ISE is unable to 
understand the freeRADIUS servers response.

Thanks

Sean


Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco 8540s, and 8.3.102 Code

2016-09-06 Thread Case, Brandon J 
We deployed our first 8540s running 8.3.102 and ended up running into 
CSCva98592. Basically caused both HA peers to crash and reboot simultaneously. 
Also had problems re-pairing them after bringing the secondary out of 
maintenance state. We were advised to back down to 8.2.121.9 which is an 
engineering special that we had to request. Been stable on that for about 2 
weeks now. 8540 pair has about 250 APs and peaks around 1300 clients right now. 
We are not running AVC though.

-Brandon

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Tuesday, September 6, 2016 3:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 8540s, and 8.3.102 Code

Sigh... we continue to have WLC performance issues seemingly related to AVC, 
even after upgrading to 8.2.121. TAC has mentioned 8.3.102 as having AVC fixes, 
but I don't see anything after looking at release notes. Anyone using 8.3.102. 
or heard any rumblings that are of concern?



Lee Badman | Network Architect (CWDP, CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco interface groups

2016-08-25 Thread Case, Brandon J 
Purdue is an all-Cisco shop and we've been using interface groups for a few 
years now. We use them our main 1x SSID and also with AAA override on eduroam 
to put Purdue users into the same set of VLANs as the 1x SSID (consistent 
access experience). It's worked very well so far. As Timothy said: it is harder 
to remove interfaces to the group that to add them. It requires disabling any 
WLAN using the group. I've taken to scripting it out to reduce downtime 
whenever we have to remove an interface.

Another neat use of the group is moving clients to a new set of VLANs. We’ve 
done that in the past by adding the new ones to the group and then disabling 
DHCP services on the old ones. The controller will eventually stop using the 
old ones and then they can be removed from the group.

-Brandon

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Timothy Burns
Sent: Thursday, August 25, 2016 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco interface groups

I started using them minimally(only 3 interfaces to the group) here when we 
implemented eduroam on our campus. So far I haven't seen any issues. My plan is 
to start using them more. Currently, we separate our subnets per building, so 
my thought is to begin combining them into groups in hopes to make roaming 
easier on the clients.
The only issue I have run into and its not really an issue is that it is very 
easy to add interfaces to a group, but not so easy to remove them. Just 
something to keep in mind as your testing and putting it into production.


On Thu, Aug 25, 2016 at 6:50 AM, James Helzerman 
> wrote:

Hi.  For those using interface groups on Cisco WLC, could you share any 
experiences good or bad that you have had?  We are exploring the use of aaa 
override and return the interface group name rather than vlan.

Thanks

Jimmy

James Helzerman
Wireless Network Engineer
University of Michigan
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



--

Tim Burns

Network Administrator
1 University Heights
Asheville, NC 28804
828-232-5013
bu...@unca.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Who WiFi vendors does everyone use? REVISITED

2016-04-01 Thread Case, Brandon J 
Purdue University
~36,000 unique users per day from ~55,000 unique devices
~8500 Cisco APs (mix of 3500s, 3700s and 702Ws)
Controller-based deployment with 3 HA pairs of Cisco 8510s
Managed with Cisco Prime 3.0 and home grown tools

-Brandon

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
Sent: Friday, April 1, 2016 10:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Who WiFi vendors does everyone use? REVISITED

Can we revisit this subject? It seems to have gotten a good number of responses 
but the information is of limited use without other information to go with it.

If folks will send me information on their wireless networks I will tabulate it 
and send it back out to the list.

How about the following info:

School name
Total number of clients served (faculty + staff + students + guess at guests) 
during a typical school day
Brand(s) of APs in use and approximate number of APs for each brand
Whether the APs are standalone or controller based
Wireless management platform (e.g., Cisco Prime, HP Aruba Airwave, none, etc.)


For the University of Alabama I would answer as follows:

The University of Alabama
45,000 clients
Cisco 5,000 APs
Controller based
HP Aruba Airwave management


If others want to suggest additional questions, that is fine as long as we can 
get them soon enough so that most people who respond will have answers to all 
of the questions. Why don't we collect questions until next WED and try to get 
the poll sent out next THU?




-jcw
  [UA Logo]

John Watters   The University of Alabama
Office of Information Technology
205-348-3992


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Who wifi vendors does everyone use?

2016-04-01 Thread Case, Brandon J 
Purdue is an all-Cisco shop with about 8500 APs

-Brandon

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Todd M. Hall
Sent: Friday, April 1, 2016 8:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?

Mississippi State is Cisco with 2k APs.

On Thu, 31 Mar 2016, Brian L. Cox wrote:

> Date: Thu, 31 Mar 2016 15:17:10 -0500
> From: Brian L. Cox 
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
> 
> To: WIRELESS-LAN@listserv.educause.edu
> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
> 
> We are identical to Suffolk University ?.just under 1000 Aruba AP?s, 
> ClearPass, Airwave and Extreme/Enterasys for wired.
>
> __
> Brian L Cox
> Information Technology Services
> Director of Networking & IT infrastructure
> University of Nebraska Kearney
> (308)865-8176
>
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Gibbs
> Sent: Thursday, March 31, 2016 2:01 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
>
> I am sort of surprised at the low number of people using Extreme Networks.  
> Then again, maybe I shouldn't be.
>
>
> --
>
> Jeremy L. Gibbs
> Sr. Network Engineer
> Utica College IITS
> On Thu, Mar 31, 2016 at 12:55 PM, Norman Mourtada 
> > wrote:
> We are all Aruba for wireless just under a 1000 APs, with Clearpass and 
> Airwave and Extreme/Enterasys for wired.
>
> Norm Mourtada
> Suffolk University
> Boston, MA 02108
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
>  On Behalf Of Watters, John
> Sent: Thursday, March 31, 2016 12:44 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
>
> Cisco -- just under 6K APs right now.
>
>
>
>
> -jcw  
> [UA Logo]
>
> John Watters   The University of Alabama
>Office of Information 
> Technology
>205-348-3992
>
>
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>
>

-- 
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
t...@msstate.edu
662-325-9311 (phone)

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: User and/or Location-based Content Restriction

2016-02-10 Thread Case, Brandon J 
Thanks everyone for the great responses and discussion about this. It's still 
unclear how we'll end up proceeding but all of the feedback from this group has 
been really valuable!

-Brandon

-Original Message-
From: Case, Brandon J 
Sent: Monday, February 8, 2016 2:28 PM
To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
(WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU)
Subject: User and/or Location-based Content Restriction

Is anyone exploring or able to suggest good options for rate limiting or 
preventing access to random content services? This idea was posed to me today 
from up the chain with the goal of limiting certain students' ability to access 
certain services for a certain time, potentially only from a certain location. 
Yep.

As an example: Student A has a class in room 2 of building Z from 8:30 to 9:20 
M, W and F. The goal would be to prevent (or severely hinder the ability of) 
student A watching Netflix from 8:30 to 9:20 M, W and F while they're in room 2 
of building Z. Outright blocking of access to Netflix during that timeframe for 
student A regardless of location has also been discussed. I've already provided 
a plethora of possible pitfalls to any of these types of approaches and the 
associated administrative overhead they could incur but am being asked for 
answers all the same. 

Yes, this does definitely wade into the treacherous waters of technological 
solutions to what are really social problems (and I know has been discussed on 
this list in the past) however, I'm charged with providing some form of an 
answer up the chain and so I turn to you all for comments, insight and 
cautionary tales.

We're an all-Cisco shop with a healthy ISE deployment so my focus is there with 
AAA override for ACLs, dynamic VLAN assignments, AVC profiles and QoS profiles. 
Any solution I've thought of so far feels too much like a blunt object though.

Thanks,
--
Brandon Case
Senior Network Engineer
IT Infrastructure Services
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

User and/or Location-based Content Restriction

2016-02-08 Thread Case, Brandon J 
Is anyone exploring or able to suggest good options for rate limiting or 
preventing access to random content services? This idea was posed to me today 
from up the chain with the goal of limiting certain students' ability to access 
certain services for a certain time, potentially only from a certain location. 
Yep.

As an example: Student A has a class in room 2 of building Z from 8:30 to 9:20 
M, W and F. The goal would be to prevent (or severely hinder the ability of) 
student A watching Netflix from 8:30 to 9:20 M, W and F while they're in room 2 
of building Z. Outright blocking of access to Netflix during that timeframe for 
student A regardless of location has also been discussed. I've already provided 
a plethora of possible pitfalls to any of these types of approaches and the 
associated administrative overhead they could incur but am being asked for 
answers all the same. 

Yes, this does definitely wade into the treacherous waters of technological 
solutions to what are really social problems (and I know has been discussed on 
this list in the past) however, I'm charged with providing some form of an 
answer up the chain and so I turn to you all for comments, insight and 
cautionary tales.

We're an all-Cisco shop with a healthy ISE deployment so my focus is there with 
AAA override for ACLs, dynamic VLAN assignments, AVC profiles and QoS profiles. 
Any solution I've thought of so far feels too much like a blunt object though.

Thanks,
--
Brandon Case
Senior Network Engineer
IT Infrastructure Services
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

It's that time of year...

2015-12-02 Thread Case, Brandon J 
The holidays are officially upon us!

http://gizmodo.com/can-christmas-lights-really-play-havoc-with-your-wi-fi-1745648879

Has anyone else gotten wind of this yet? Seems to be making the rounds here.

Thanks,
--
Brandon Case
Senior Network Engineer
IT Infrastructure Services
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest Access, MAC exceptions- problems?

2015-10-12 Thread Case, Brandon J 
Hi Lee,

Here are Purdue we've got a fleet of WLCs, mostly WiSM2s from which we're 
migrating to 8510s. We have one 8510 dedicated to wireless service in our 
residence halls. It has around 2400 APs joined to it and I've personally seen 
the concurrent user count reach over 11k during peak hours. It provides 4 SSIDs 
(not great but could be worse): our main 1x network that we provide everywhere 
else on campus, one for gaming/media/non-1x devices, eduroam and attwifi. The 
gaming/media SSID is open with MAC auth and has the most complex setup of all 
of those.

We use ISE to have the students register their various devices through a portal 
which then adds it to an identity group that's used in authorization policy. To 
prevent students from connecting their laptop/phone/tablet/whatever to the 
gaming/media network we're using a logical profile in ISE. If they do happen to 
connect something to the gaming/media network that could connect to the 1x 
network we drop them at a page that instructs them to connect the device to the 
main 1x network. It works well enough but the biggest headache we've had with 
it is XBox Ones. Since they profile in ISE as Windows 8 machines most of the 
time, we've had to manually assign some of them to the XBox One profile we 
created. Of course that means a request comes through a trouble ticket via our 
helpdesk or the ever-popular back channels that seem to keep working. Either 
way, a less than satisfactory user experience. However, by and large the system 
works well and has seen increased usage as time has gone on (this is the second 
semester it has been live).

We do have AVC enabled on the 1x network but so far /knockonwood we haven't had 
any problems as a result of that. To answer your original questions though: we 
haven't had any major issues or disappointments related to the controller.

Thanks,
--
Brandon Case
Senior Network Engineer
IT Infrastructure Services
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, October 12, 2015 12:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLC w/ ISE and/or Clearpass for Large-Scale Guest 
Access, MAC exceptions- problems?

Hello to the excellent group.

I'm dealing with a catastrophic code issue with AVC right now on our 8510s that 
has me nervous about another feature we plan on using- the tight integration 
between our WLCs and either ISE, Clearpass, or SafeConnect SE. We currently do 
all wireless guest access through a 3rd party box that is growing long in the 
tooth.

For those on high-capacity 85xx controllers and using the likes of web 
redirect/policies on the WLC for guest operations and MAC exceptions, have you 
run into any WLC code issues that have crippled the service or resulted in 
organization embarrassment? Any gotchas or disappointments?


Thanks-

Lee

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Handling Non 802.1x Devices on the Enterprise Network

2015-09-01 Thread Case, Brandon J 
We are doing pretty much the same thing as well, although without the DHCP 
tie-in.

We set up a separate SSID for gaming consoles/media devices in the residence 
halls and have students register them via one of ISE's portals. We did set up 
an authorization policy with a logical profile to prevent 1x-capable devices 
from using the SSID. They get stuck in a walled garden and can only see a page 
that essentially says they have to connect the device they're currently using 
to the 1x SSID (which is the same one we broadcast all over campus). The 
profiling component of ISE works pretty well most of the time but we have had a 
real headache dealing with XboxOne's since they are essentially Windows 8 
machines and we drop Windows 8 clients in the walled garden. I ended up writing 
a few custom rules in the profiler that catch most of them and we handle the 
rest on an individual basis.

The whole system has worked out pretty well considering the scope (about 12,000 
students in 15 residence halls). It hasn't been without its share of bumps but 
overall we're pleased with it.

Thanks,
--
Brandon Case
Senior Network Engineer
IT Infrastructure Services
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Coloccia
Sent: Tuesday, September 1, 2015 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Handling Non 802.1x Devices on the Enterprise 
Network

+1. We're doing almost exactly the same.
On 9/1/2015 10:53 AM, Williams, Matthew wrote:
We have an SSID for these devices and we built a device registration page for 
our students to go to enter their wireless MAC address.  This page requires the 
students to login so we capture who owns the device in question.  This page has 
an API that ties into our DHCP system.  Several of the newer RADIUS products 
have this feature built in, but we're still riding an old system that couldn't 
do this.

Respectfully,

Matthew Williams
Manager, Network and Telecommunications Services
Kent State University
Office: (330) 672-7246
Mobile: (330) 469-0445

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Troy Lynn Wiseman
Sent: Tuesday, September 1, 2015 10:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Handling Non 802.1x Devices on the Enterprise Network

We are trying to figure out how to handle non 802.1x devices on our enterprise 
network.  We are a Cisco shop and currently are broadcasting 4 SSIDs including 
a guest SSID that is non 802.1x.  We are concerned with how to give access to 
non 802.1x devices in our residence halls.  We were wondering how others are 
tackling this issue.

TROY WISEMAN
Network Engineer II

INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

twise...@siu.edu
P: (618) 453-6264
INFOTECH.SIU.EDU

[http://siu.edu/_common/images/SIUlogo.png]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



--

Rick Coloccia, Jr.

Network Manager

State University of NY College at Geneseo

1 College Circle, 119 South Hall

Geneseo, NY 14454

V: 585-245-5577

F: 585-245-5579
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Authentication failures at peak times (Cisco)

2014-09-02 Thread Case, Brandon J 
Don,

Yep the Timeout Requests counter on the controllers ticks up for the particular 
RADIUS server they’re talking to. I’ve also noticed the Pending Request timer 
increase at times but eventually it drops back to 0 when usage levels go down. 
Which vendor supported RADIUS appliances did you switch to?

Thanks,
Brandon

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wright, Don
Sent: Monday, September 01, 2014 9:17 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Authentication failures at peak times (Cisco)

Brandon,
 Can you see any radius issues based on stats on your controllers, 
timeouts, etc.  We were seeing these on our FR servers last fall before we 
moved to our vendor support radius appliances.
-
Don Wright
Lead Network Operations Engineer
Brown University


On Wed, Aug 27, 2014 at 3:21 PM, Case, Brandon J 
ca...@purdue.edumailto:ca...@purdue.edu wrote:
Would you be able to elaborate on the improvements you did over the summer? We 
have a similar setup with regards to the backend, although ours is just 
freeradius - ldap without the F5. Our usage levels are just a bit higher than 
yours but we're receiving lots of user reports of the inability to authenticate 
but nothing consistent enough to isolate and test repeatedly.

Thanks,
Brandon

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Wang, Yu
Sent: Wednesday, August 27, 2014 3:15 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Authentication failures at peak times (Cisco)

Where are all your user accounts hosted? What kind of user database that serves 
the wireless system? Do you have a rough number of how many concurrent users at 
peak time?

We had peak time wireless authentication failure issues in the past Spring 
semester. We did performance tests in the summer and found out it was the 
backend (F5 + LDAP). We did improvements in the summer and we have not seen the 
issue in the first three days of Fall semester. Yesterday's wireless usage set 
a new record with over 32k unique users and over 15k concurrent users.

We use Aruba wireless with 802.1X, WPA2-Ent, PEAP, MSCHAPv2 + freeradius + F5 + 
ldap. It's different than yours but from the error you mentioned, it's likely 
the backend was congested.



Yu Wang

Network Architect
Information Technology Services
The Florida State University
850-645-6810tel:850-645-6810
yu.w...@fsu.edumailto:yu.w...@fsu.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Eric T. Barnett
Sent: Wednesday, August 27, 2014 2:12 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Authentication failures at peak times (Cisco)

We've got a relatively small deployment compared to many on this list, but 
we've run into a problem we just can't put our finger on. We're using 5508s and 
ISE as a RADIUS server and we're having HUGE latencies on WPA2-Enterprise PEAP 
authentication. There's times when almost no one can authenticate. What's 
really weird is that the controllers show AAA Authentication Error when this 
happens even though the username and password is correct. None of the devices 
seem distressed and there's no network problems we can see. Anyone ever seen 
this before or have any ideas how to troubleshoot? TAC so far has been not 
incredibly useful but they have only been on the case for a day or so now. I 
can hear my users sharpening the pitchforks...

Thanks,

Eric Barnett
Wireless Administrator
Information and Technology Services
Arkansas State University
870 680 4243tel:870%20680%204243

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

RE: Authentication failures at peak times (Cisco)

2014-08-27 Thread Case, Brandon J 
Would you be able to elaborate on the improvements you did over the summer? We 
have a similar setup with regards to the backend, although ours is just 
freeradius - ldap without the F5. Our usage levels are just a bit higher than 
yours but we're receiving lots of user reports of the inability to authenticate 
but nothing consistent enough to isolate and test repeatedly.

Thanks,
Brandon

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
Sent: Wednesday, August 27, 2014 3:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Authentication failures at peak times (Cisco)

Where are all your user accounts hosted? What kind of user database that serves 
the wireless system? Do you have a rough number of how many concurrent users at 
peak time?

We had peak time wireless authentication failure issues in the past Spring 
semester. We did performance tests in the summer and found out it was the 
backend (F5 + LDAP). We did improvements in the summer and we have not seen the 
issue in the first three days of Fall semester. Yesterday's wireless usage set 
a new record with over 32k unique users and over 15k concurrent users.

We use Aruba wireless with 802.1X, WPA2-Ent, PEAP, MSCHAPv2 + freeradius + F5 + 
ldap. It's different than yours but from the error you mentioned, it's likely 
the backend was congested.



Yu Wang

Network Architect
Information Technology Services
The Florida State University
850-645-6810
yu.w...@fsu.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric T. Barnett
Sent: Wednesday, August 27, 2014 2:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Authentication failures at peak times (Cisco)

We've got a relatively small deployment compared to many on this list, but 
we've run into a problem we just can't put our finger on. We're using 5508s and 
ISE as a RADIUS server and we're having HUGE latencies on WPA2-Enterprise PEAP 
authentication. There's times when almost no one can authenticate. What's 
really weird is that the controllers show AAA Authentication Error when this 
happens even though the username and password is correct. None of the devices 
seem distressed and there's no network problems we can see. Anyone ever seen 
this before or have any ideas how to troubleshoot? TAC so far has been not 
incredibly useful but they have only been on the case for a day or so now. I 
can hear my users sharpening the pitchforks...

Thanks,

Eric Barnett
Wireless Administrator
Information and Technology Services
Arkansas State University
870 680 4243

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Cisco WLCs and Client Exclusion

2014-08-21 Thread Case, Brandon J 
Thanks everyone for the feedback. We've had our timer set at the default of 60 
seconds but it's sounding like that's best to change. In addition to tweaking 
some of the EAP timers I'm going to put that change into effect soon (classes 
start on Monday) and hope for the best!

Lee--do you know what kind of change they're planning on making? Just bumping 
the threshold up or making it configurable?

Thanks,
Brandon

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 21, 2014 2:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLCs and Client Exclusion

One follow-up here- Cisco has been responsive to our request for a tweak to the 
three strikes threshold and it will be changed in 8.1 code.

Lee

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 21, 2014 10:22 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco WLCs and Client Exclusion

We HAD to enable it, because misconfigured/unconfigured/wonky clients were 
pounding our RADIUS servers at a rate that rises to DOS. At the same time, the 
exclusion setting is 3 strikes and you're in the penalty box- no adjustment yet 
available. For us, we only use it for failed 802.1x authentications, and we 
keep the exclusion timer low, like 5 seconds because legit clients WILL 
occasionally get caught. The short timer slows any DOS effects, and doesn't 
hurt the occasional good client getting caught for whatever reason.


Lee Badman

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Case, Brandon J
Sent: Thursday, August 21, 2014 10:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco WLCs and Client Exclusion

For the Cisco shops out there: does anyone use Client Exclusion on their 1x 
WLANs? Any adverse effects? We're tracking an issue being reported by our help 
desk and wondering if that setting could be the culprit. We've always had the 
setting enabled (5+ years on lightweight APs) and it's never appeared to cause 
a major problem. Any and all feedback is appreciated.

Thanks,
--
Brandon Case
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Eduroam rollout- one more time

2013-11-01 Thread Case, Brandon J 
We were in the same spot with #1 and still are (since our main SSID has been 
.1x for a while). #2 was considered for the briefest of seconds but was quickly 
surpassed by #3 which was the quickest to implement. We've been happy with the 
rollout and it's working well.

-Brandon

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian McDonald
Sent: Friday, November 01, 2013 12:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time

We did #1, but we didn't have .1x before that. My understanding is that most 
places that did went for #3.

Our biggest benefit of #1 is that eduroam just works for users who go away to 
other institutions, without them ever having to plan it, as it's already set up.

--
ian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Scott Allen
Sent: 01 November 2013 16:44
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time


Happy with #3
-Scott

-Scott
On Nov 1, 2013 12:34 PM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:
I know this comes up frequently, so forgive me. We're at a different place than 
we were at last inquiry...

Syracuse University has become an Eduroam school, and as we speak we have happy 
Eduroamers around the world. Woo Woo!

At the same time, we have yet to roll out Eduroam on our own campus and are 
getting ready to in accordance to the Eduroam agreement. We're trying to figure 
out the best model:

1.   Retire our own beloved 802.1x SSID, and use Eduroam in its place. This 
has no favor with any of us, including our senior IT managers and so is not 
gonna happen. (Though I value the opinions of others, not wanting to get into a 
debate on this point :) )

2.   Do a targeted rollout of Eduroam, in places where it is likely to be 
used by visitors- academic  buildings, etc. (So far, I can't find evidence of 
anyone coming to SU and asking for it). This model requires building a new WLAN 
group or two and pushing it out to probably 20ish buildings out of our 200+ 
buildings.

3.   Go the easy path, and push it the Eduroam SSID everywhere, as an 
additional WLAN, and live with the fact that it won't get a lot of use in most 
places and puts management traffic in the air that isn't generally going to be 
used.

I can't be the only one who has stood at this juncture and looked at the 
situation the same way. Wondering what others have done between #2 and #3, and 
what your level of satisfaction has been for whatever path you took.


Regards,

Lee Badman
Syracuse University


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Bandwidth utilization and IOS7 upgrade

2013-09-18 Thread Case, Brandon J 
We are. Typical load at this time on a Wednesday is around 1.5Gbps aggregate 
for our ~22K-ish concurrent users. It's currently cooking along at 2.8Gbps with 
a very clear jump right around that time.

-Brandon

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric T. Barnett
Sent: Wednesday, September 18, 2013 2:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Bandwidth utilization and IOS7 upgrade

So has anyone else seen a HUGE spike in wireless traffic with the IOS7 update? 
Our wireless had a dramatic shift at exactly 11:55AM CDT that's still going 
strong.

Regards,

Eric Barnett
Senior Network Engineer/Wireless Administrator
Information and Technology Services
Arkansas State University
(870) 680-4243
http://wireless.astate.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

4G Router Recommendations

2013-02-08 Thread Case, Brandon J 
We have a small facility (less than 5 users) located just enough off-campus 
that some kind of wifi backhaul isn't possible for connectivity. Users at the 
site want to explore using some kind of 4G device as an uplink. This needs to 
be coupled with using one of the Cisco OfficeExtend APs as well per the local 
tech support staff. Anyone out there have any good recommendations for a 4G 
device to fit this bill? 

Thanks,
--
Brandon Case
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple attempting to fix their faux-paus

2012-11-16 Thread Case, Brandon J 
The newest release of the Apple TV software does support WPA2 Enterprise but, 
of course, there's a catch. It can't be configured directly from the Apple TV 
itself. It has to be done using the Apple Configurator software and pushed to 
the Apple TV via the USB port on the back (at least that was the case the last 
time I looked at this).

A good gotcha to note for anyone trying this...it's possible to use an HDMI 
cable with too large of a connector which covers the USB port on the Apple TV. 
One of our staff ran into this trying to push a WPA2 Enterprise profile to an 
Apple TV. The USB cable had to be plugged in to push the profile but there's 
some on-screen dialog to work with too apparently that requires the HDMI cable 
to be connected. Hooray for technology.

-Brandon

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Duling
Sent: Friday, November 16, 2012 12:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple attempting to fix their faux-paus

Necessity is the mother of invention.  This has probably been mentioned before, 
but this reminds me of AppleTalk zones.  All that had to be worked out in 
advance to gain acceptance in business, but now IT is being consumerized and 
so the process is reversed once demand reaches critical mass.

And the article says Apple TV doesn't support WPA2 Enterprise.  Didn't they add 
that in the last Apple TV software update?

Mark

On Fri, Nov 16, 2012 at 6:15 AM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:
Thanks, Peter. Not sure how angry we all are, but certainly frustrated by 
hoops required to try to make anything out of Bonjour on big networks. 
Hopefully, Apple moves quickly and delivers something that is the right fit. 
That they responded is awesome, but whether they work with any real customers 
for beta testing or whatever remains to be seen.

-Lee

Lee H. Badman
Network Architect/Wireless TME
Information Technology and Services (ITS)
Syracuse University
315 443-3003tel:315%20443-3003



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Peter Murphy
Sent: Friday, November 16, 2012 8:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple attempting to fix their faux-paus

A co-worker pointed me at this:
Thought you guys might find this article interesting especially since we are 
experiencing this first hand.

http://www.networkworld.com/news/2012/110812-apple-university-264091.html



--

Peter Murphy

Interim Director Network Engineering  Security

Wayne State University

pmur...@wayne.edumailto:pmur...@wayne.edu

v: 313-577-4737tel:313-577-4737
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco 7.3 Code and ISC DHCP

2012-10-17 Thread Case, Brandon J 
We had the exact same issue with our old WiSM1s after upgrading the 6500 they 
were in to 12.2(33)SXI. Apparently when the WiSMs first booted they sent DHCP 
requests with a blank hostname (although I think these were running something 
in the 5.2 train or perhaps earlier). 12.2(33)SXH didn't care and would process 
the request but SXI did care and would silently discard the requests. This was 
a huge issue for us because the WiSMs weren't getting addresses for their 
service ports and couldn't be configured remotely (no console server at that 
particular site at the time). Later versions of WiSM code seemed better and 
didn't send DHCP requests with a blank hostname.

As for the 3602s: we just installed a bunch of them and didn't have any issues 
with them getting DHCP leases. We're running ISC DHCP 3.1.3 and are using 6500s 
with the VS-S720-10G supervisor running 12.2(33)SXJ. I'd be happy to compare 
DHCP configs offline if it will help.

--
Brandon Case
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
Sent: Wednesday, October 17, 2012 7:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 7.3 Code and ISC DHCP

On Oct 16, 2012, at 19:49 , Jason Murray jemur...@zweck.net wrote:
 
 This is not completely related, but we just upgraded one of our Cisco 
 routers, after the upgrade dhcp stopped working because one dhcp option was 
 blank.'Debug IP dhcp server' was the only way we would have noticed this 
 problem.  The router was silently discarding the replies.


Can you share router model and software versions?

-- 
Julian Y. Koh
Manager, Network Transport, Telecommunications and Network Services
Northwestern University Information Technology (NUIT)
2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: http://www.it.northwestern.edu/
PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Domain Logon Over Wireless

2012-07-30 Thread Case, Brandon J 
Has anyone out there tried doing domain logons over a 1x-enabled network? We 
have a request in from one department (and potentially others) to offer such a 
service. Their goal is to create learning lab environments where students can 
use laptops that are dedicated just for the room the lab is in. However, they 
also want to be able to join these laptops to their departmental domain in 
order to do patching etc. so the machines have to be able to log on to the 
network while no user is logged on to the machine. 

Google searches until my eyes are bloodshot all say it can only be done with 
EAP-TLS and machine certificates, which always leads to using Microsoft 
Certificate Services. I'm no Windows Server buff so all the magic that happens 
between laptop and domain controllers is smoke and mirrors to me. Even if that 
can be side-stepped somehow, the thought of private PKI management isn't one I 
relish. Any hints anyone can offer would be wonderful.

Thanks,
--
Brandon Case
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WAPS seem to die after switch reboot

2012-01-11 Thread Case, Brandon J 
We're dealing with a similar issue right now too, but it seems to be 
AP-independent. We have a mix of Cisco 3500's and 1250's running on Cisco 
3750EPs (running 12.2(53)SE2) and a sample of each type of AP experience the 
problem. Our 3750's are Gigabit so I've been using the 'test cable-diagnostic 
tdr' feature to see if there might be a cabling issue and in 95% of the cases 
it shows that pairs A and B are swapped between the local and remote ends. I'm 
still not sure how much I trust those results since they include 3 separate 
runs of cable (cross connect, infrastructure, and jumper at the AP) but it's 
still something. We figured out a workaround of sorts by hardcoding the ports 
to 1000M full duplex and it seems to work in most cases. For the rest, either 
reseating or replacing the cross connect has fixed it. 

In all cases, the tell-tale indicator is a value of 'IeeePD' in the Device 
field of a 'show power inline | ex off'. I've seen that happen whether or not 
the line protocol on the port is up, oddly enough. I've got an email out to 
Cisco to see if this might be some undocumented bug or...what. If I get 
anything worthwhile back I'll share.

Thanks,
--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Eyre
Sent: Wednesday, January 11, 2012 3:55 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WAPS seem to die after switch reboot

Vicki,

If I remember correctly the power module in the cisco switch controls ports
in groups of 4. Try and move one of the dead access points to a port in a
group of 4 that does NOT already have an access point in the group. I've
seen issues like this before but not on a 3560.

Regards,


Craig Eyre
Network Analyst
IT Services Department
Mount Royal University
4825 Mount Royal Gate SW
Calgary AB T2P 3T5

P. 403.440.5199
E. ce...@mtroyal.ca

The difference between a successful person and others is not a lack of
strength, not a lack of knowledge, but rather in a lack of will.  Vincent
T. Lombardi




From:   Vikki Cutrone vicutr...@vassar.edu
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date:   01/11/2012 01:50 PM
Subject:Re: [WIRELESS-LAN] WAPS seem to die after switch reboot
Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU



Hi,

They are down/down never to come on line again.  This is a show power
inline--


Fa1/0/33  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/34  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/35  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/36  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/37  auto   on 15.4Ieee PD 3 15.4
Fa1/0/38  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/39  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/40  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/41  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/42  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/43  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/44  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/45  auto   on 12.2AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/46  auto   on 15.4Ieee PD 3 15.4
Fa1/0/47  auto   on 15.4Ieee PD 3 15.4


Module   Available Used Remaining
   (Watts) (Watts)(Watts)
--   -      -
1   370.0  231.0   139.0
2 n/an/a n/a
3 n/an/a n/a
4 n/an/a n/a

Did a power inline never  power inline auto--

Fa1/0/33  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/34  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/35  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/36  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/37  auto   on 15.4Ieee PD 3 15.4
Fa1/0/38  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/39  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/40  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/41  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/42  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/43  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/44  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/45  auto   on 15.4AIR-LAP1131AG-A-K9  3 15.4
Fa1/0/46  auto   on 15.4Ieee PD 3 15.4
Fa1/0/47

RE: NCS 1.0.2.28 (MR2)

2011-11-18 Thread Case, Brandon J 
Has anyone who is running MR2 tried to migrate data from WCS 7.0.220.0? The 
release notes explicitly say it's supported but after a 7 hour wait, I was 
presented with this message last night:

 Appliance Restore Process 
ERROR: invalid backup file version. Exception: 7.0.220.0 is not a supported WCS 
version. Please restore a backup of one of the supported versions.

Haven't opened a TAC case yet but that's going to be my next step. Just 
wondering if anyone else has had a similar experience yet.

Thanks,
--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
ca...@purdue.edumailto:ca...@purdue.edu
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hurt,Trenton William
Sent: Thursday, November 17, 2011 8:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] NCS 1.0.2.28 (MR2)

New NCS release is out.  Lots of bug fixes.

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/release/notes/NCS_RN1.0.2.html#wp208350

Trenton Hurt, CCNP(W), CCNA(W), CCNA(V), CCNA(R/S)
Wireless Network Administrator
University of Louisville
Phone (502) 852-1513
FAX (502) 852-1424
[cid:image001.png@01CCA5CA.58CE1760]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

inline: image001.png

RE: [WIRELESS-LAN] Mac OS 10.6.2 Update

2009-11-10 Thread Case, Brandon J 
I applied this update to a Mac as a test client today, and I can confirm that 
it's still experiencing the same issue as it was pre-patching. Interestingly 
enough, toggling on broadcast of the SSID results in the client connecting 
immediately. Disable Airport, disable broadcast, re-enable Airport and it goes 
back to endlessly trying to authenticate.

--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler
Sent: Tuesday, November 10, 2009 2:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Mac OS 10.6.2 Update

Lee,

There are bugs fixed that I'm aware of (I had bugs open on them), but never 
make it into the readme. It's kind of the same with Cisco in that you look at 
the release notes for new wireless code and it often excludes items you know 
have been resolved. I guess they just pick and choose what to include.

Jeff 

 Lee H Badman lhbad...@syr.edu 11/9/2009 3:58 PM 
http://support.apple.com/kb/HT3874 

Surprisingly, I see no mention of attempting to fix the ongoing AirPort 
oddities. Didn't someone say Apple promised a fix in November?

-Lee

Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Syracuse University
315 443-3003




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cisco Environment and Apple products

2009-06-16 Thread Case, Brandon J 
Is anyone out there a Cisco controller shop that's seeing lots of
troubles with Apple products? We're transitioning (still) to an entirely
controller-based infrastructure so we have a mix of buildings that are
running on those and some that are still IOS-based APs. 

Lately it seems a lot of tickets are coming into our help desk from
Apple users that are in the vein of it used to work but now it doesn't
but only in buildings running on the controllers. I'm left scratching my
head as to why since I cannot reproduce the problem on my. A while back
there was a thread on this list about tweaking EAP timers and I've made
those changes to our controllers but to no avail. Anyone have any
insight into this?

Thanks,
--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] ACLs on Cisco WiSMs

2009-04-21 Thread Case, Brandon J 
Lee,

 

We use ACLs on two of our walled garden SSIDs that share a subnet but
have different lists of allowed resources. They seem to work pretty well
although I wouldn't dare try to add them through the CLI initially. It
also helps when you remember that enabling an ACL anywhere automatically
means it's bidirectional so you have to add rules for in and outbound
traffic to a particular destination. That one got me a few times but now
that they've been in place and properly set up everything has worked
well.

 

Thanks,

--

Brandon Case, CCNA

Network Engineer, ITaP

Purdue University

ca...@purdue.edu mailto:ca...@purdue.edu 

Office: (765)49-67096

Mobile: (765)479-7597

Fax:(765)49-46620

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Tuesday, April 21, 2009 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ACLs on Cisco WiSMs

 

Wondering if anyone is doing any real ACLing on the WiSM blades? This is
an area we have flirted with a few times, but never real did much with
in prod- leaving the ACLing on the attached routers. Just curious...

 

-Lee

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless Installation Process

2008-12-18 Thread Case, Brandon J 
Thanks to everyone for the great replies. I was scratching my head over
our wireless install process for a few days and figured this was a good
place for some ideas. All those replies did lead me to a follow-up
question though. For those of you that contract the AP installs out,
either to another department or a contractor, is there some kind of
training you require them to have been through? 

We contract the AP installs out to another department, but the issue we
run into most often is that the people doing the work don't understand
how to properly mount either the AP, the antenna, or both. We're
beginning to go through a refresh cycle and would like to avoid the
mistakes that happened last time (like antennas installed 3' above the
ceiling between two HVAC units). Thanks again in advance.

Brandon

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Case, Brandon J
Sent: Wednesday, December 17, 2008 10:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Installation Process

I'm curious as to how you all out there handle the actual physical
installation of APs in your environments. Do you handle that within the
same team that manages the wireless network or is it a separate group
that installs the equipment? How do you go about having the data jacks
installed? Just as an estimation, approximately how long does it take to
have an AP installed?

For buildings that are still in the planning phase, do you design the AP
locations into the building based on CAD drawings ahead of time? Or do
you perform an on-site survey after the building is open and then
proceed with installation?

Any and all comments are appreciated.

Thanks,
--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Wireless Installation Process

2008-12-17 Thread Case, Brandon J 
I'm curious as to how you all out there handle the actual physical
installation of APs in your environments. Do you handle that within the
same team that manages the wireless network or is it a separate group
that installs the equipment? How do you go about having the data jacks
installed? Just as an estimation, approximately how long does it take to
have an AP installed?

For buildings that are still in the planning phase, do you design the AP
locations into the building based on CAD drawings ahead of time? Or do
you perform an on-site survey after the building is open and then
proceed with installation?

Any and all comments are appreciated.

Thanks,
--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems

2008-07-23 Thread Case, Brandon J 
If you're using ACS with an external LDAP database then you're limited
to EAP-FAST, PEAP-GTC, or EAP-TLS according to the ACS documentation. We
did run into a similar problem but decided to access the user database
via RADIUS instead (we have a proprietary, home-grown system which is
accessible via RADIUS or LDAP), and ACS does allow the use of
PEAP-MSCHAPv2 in that setup. If you're set on using ACS then your
options are configuring the external user database as a LEAP Proxy
RADIUS Server or having all the accounts locally on the ACS box. 

Reference information here: http://tinyurl.com/5umk8l

--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
[EMAIL PROTECTED]
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of John York
Sent: Tuesday, July 22, 2008 5:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] PEAP/MS-CHAPv2 and LDAP problems

We have a Cisco WLC-4402 and ACS v4.1.  Until recently we've been
running our wireless wide open and using VPN for encryption, but want to
move to WPA/WPA2 for all our clients.  We will use the idEngines
AutoConnect product to configure the clients (student machines) but I've
run into problems just getting the wireless configured.

Since we want to use WPA, that means some flavor of EAP.  The student
data is on an ldap server, so that means WPA/2-enterprise, no WPA-PSK.
The Windows clients support EAP-TLS and EAP-PEAP(MSCHAPv2), but we don't
want to bother with certificates on the client so EAP-TLS is out.  It
looks like EAP-PEAP(MSCHAPv2) is the way to go, but the Cisco WLC and
ACS only support EAP-TLS, EAP-FAST or EAP-GTC.  Cisco TAC's answer was,
more or less, Just install clients that have the Cisco Compatible
Extensions (CCX).  

The SecureW2 client does support EAP-GTC.  It also supports
EAP-TTLS--the ACS supports PEAP/TLS, PEAP with TLS as an inner method.
Don't know if those two are the same or not.

I'm sure someone has gotten this to work before.  Does authenticating to
an ldap server mean we are forced to use EAP-TLS with client certs,
install some client on the student machines, or is there another way?

John York
Network Engineer
Blue Ridge Community College

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Wisms CPU

2008-02-15 Thread Case, Brandon J 
You can browse the entire Airespace MIB that the controllers support at:
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=airespac
etranslate=TranslatesubmitValue=SUBMIT with Cisco's SNMP Object
Navigator tool. 

As far as I know there is no single OID for the number of access points
registered to the controller. It's just a table that's not indexed at
all. I have a Perl script that walks the table and counts the number of
rows to get the number of access points.

--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
[EMAIL PROTECTED]
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620 

-Original Message-
From: Jim Glassford [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 15, 2008 11:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Wisms CPU

Greetings,

 Does anyone have an OID for the number of Access Points attached off
4400 
controllers?

Have been using on WLC 4402 and 4404 with success

CPU
1.3.6.1.4.1.14179.1.1.5.1.0

Memory
1.3.6.1.4.1.14179.1.1.5.2.0

Authenticated Users for SSID number one
1.3.6.1.4.1.14179.2.1.1.1.38.1

Authenticated Users for SSID number two
1.3.6.1.4.1.14179.2.1.1.1.38.2

Mobile Station Protocol
1.3.6.1.4.1.14179.2.1.4.1.25
IF 1 = a radio
2 = b radio
3 = g radio
4 = unknown
5 = mobile

thanks!


- Original Message - 
From: Frank Bulk [EMAIL PROTECTED]
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, February 14, 2008 8:51 PM
Subject: Re: [WIRELESS-LAN] Cisco Wisms CPU


 Does

enterprises.airespace.bsnSwitching.agentInfoGroup.agentResourceInfoGroup
.age
 ntCurrentCPUUtilization (.1.3.6.1.4.1.14179.1.1.5.1) not get what you 
 want,
 or does the CLI offer a different view?

 Frank

 -Original Message-
 From: Roth, Joe [mailto:[EMAIL PROTECTED]
 Sent: 2008-02-14 08:23
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Cisco Wisms CPU

 I would be interested in this as well. Right now I am using a PERL
 script in conjunction with MRTG to graph our CPU usage. The script
uses
 telnet to pull the current CPU usage from the WiSMs.

 I am willing to share this, but it does require the Net::Telnet::Cisco
 PERL module to be installed.

 --Joe

 -Original Message-
 From: Howd, Walt [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 13, 2008 4:51 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Cisco Wisms CPU

 On a somewhat related note, does anyone have the SNMP OIDs to monitor
 the CPU load on the WiSM?

 

 Walt Howd
 Network Systems Admin
 Information Technology Services
 Truman State University
 SunGard Higher Education
 Managed Services
 100 East Normal Street
 Kirksville, MO 63501
 [EMAIL PROTECTED]



 -Original Message-
 From: Lee H Badman [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 13, 2008 3:38 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Cisco Wisms CPU

 We have always run under 5% for the most part (occasional spikes that
 rarely approach 50%), with 12 WiSMs, 1600 APs and thousands and
 thousands of users on multiple WLANs. But- we keep ALL APs, WiSMs,
WCS,
 and loc servers in a private management VLAN that is heavily
protected.
 Not sure if this has a bearing. This has always been the case (low
CPU),
 across multiple code versions.

 That being said- we have had just about every other problem associated
 with the WiSMs and or WCS that you can imagine. Has been challenging,
to
 say the least.

 Lee H. Badman
 Wireless/Network Engineer
 Information Technology and Services
 Syracuse University
 315 443-3003

 -Original Message-
 From: James J J Hooper [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 13, 2008 4:11 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Cisco Wisms CPU

 Hi All,
   A quick question for those out there with WISMs... What level of
 CPU usage are you experiencing (with how many users)?

 A bit of background...
 We have two wism blades (4 wisms) and since we purchased them in
 about april'07 they were running at about 35%, rising to 50% at peak
 times, with frequent spikes up to about 90%. The spikes were
 worrying, but the average seemed ok, and as they did this from day
 one I was under the impression this was the norm.

 Recently, we upgraded to the 4.2.x.y stream from 4.1. As has been
 covered in other recent posts, 4.2 has some outstanding issues (more
 than others anyway) and things became unstable... so we decided to go
 back to 4.1.85.0 (TAC hasn't provided us with any solutions for 4.2
 issues). We had a backup of our previous 4.1 config, but I chose not
 to use it and start again from scratch (a few things had changed, so
 either way involved work)

 Since the reversion to 4.1.85.0, our cpu usage now averages 2% and
 peaks at 6% at peak times (220 waps, ~350 users).
 [4.1.85.0, 12.2(18)SXF7]

 Thanks,
   James

 --
 James J J Hooper
 Network Specialist
 Information Services